You configure vSphere Update Manager to apply updates on the management components of the SDDC according to the objectives of this design.

UMDS Virtual Machine Specification

You allocate resources to and configure the virtual machines for UMDS according to the following specification:

Table 1. UMDS Virtual Machine Specifications

Attribute

Specification

vSphere Update Manager Download Service

vSphere 6.5

Number of CPUs

2

Memory

2 GB

Disk Space

120 GB

Operating System

Ubuntu 14.04 LTS

ESXi Host and Cluster Settings

When you perform updates by using the vSphere Update Manager, the update operation affects certain cluster and host base settings. You customize these settings according to your business requirements and use cases.

Table 2. Host and Cluster Settings That Are Affected by vSphere Update Manager

Settings

Description

Maintenance mode

During remediation, updates might require the host to enter maintenance mode.

Virtual machines cannot run when a host is in maintenance mode. For availability during a host update, virtual machines are migrated to other ESXi hosts within a cluster before the host enters maintenance mode. However, putting a host in maintenance mode during update might cause issues with the availability of the cluster.

vSAN

When using vSAN, consider the following factors when you update hosts by using vSphere Update Manager:

  • Host remediation might take a significant amount of time to complete because, by design, only one host from a vSAN cluster can be in maintenance mode at one time.

  • vSphere Update Manager remediates hosts that are a part of a vSAN cluster sequentially, even if you set the option to remediate the hosts in parallel.

  • If the number of failures to tolerate is set to 0 for the vSAN cluster, the host might experience delays when entering maintenance mode. The delay occurs because vSAN copies data between the storage devices in the cluster.

    To avoid delays, set a vSAN policy where the number failures to tolerate is 1, as is the default case.

You can control the update operation by using a set of host and cluster settings in vSphere Update Manager.

Table 3. Host and Cluster Settings for Updates

Level

Setting

Description

Host settings

VM power state when entering maintenance mode

You can configure vSphere Update Manager to power off, suspend, or do not control virtual machines during remediation. This option applies only if vSphere vMotion is not available for a host.

Retry maintenance mode in case of failure

If a host fails to enter maintenance mode before remediation, vSphere Update Manager waits for a retry delay period and retries putting the host into maintenance mode as many times as you indicate.

Allow installation of additional software on PXE-booted hosts

You can install solution software on PXE-booted ESXi hosts. This option is limited to software packages that do not require a host reboot after installation.

Cluster settings

Disable vSphere Distributed Power Management (DPM), vSphere High Availability (HA) Admission Control, and Fault Tolerance (FT)

vSphere Update Manager does not remediate clusters with active DPM, HA, and FT.

Enable parallel remediation of hosts

vSphere Update Manager can remediate multiple hosts.

Note:

Parallel remediation is not supported if you use vSAN, and remediation is performed serially for the ESXi hosts.

Migrate powered-off or suspended virtual machines

vSphere Update Manager migrates the suspended and powered-off virtual machines from hosts that must enter maintenance mode to other hosts in the cluster. The migration is launched on virtual machines that do not prevent the host from entering maintenance mode.

Virtual Machine and Virtual Appliance Update Settings

vSphere Update Manager supports remediation of virtual machines and appliances. You can provide application availability upon virtual machine and appliance updates by performing the following operations:

Table 4. vSphere Update Manager Settings for Remediation of Virtual Machines and Appliances

Configuration

Description

Take snapshots before virtual machine remediation

If the remediation fails, use the snapshot to return the virtual machine to the state before the remediation.

Define the window in which a snapshot persists for a remediated virtual machine

Automatically clean up virtual machine snapshots that are taken before remediation.

Enable smart rebooting for VMware vSphere vApps remediation

Start virtual machines after remediation to maintain startup dependencies no matter if some of the virtual machines are not remediated.

Baselines and Groups

vSphere Update Manager baselines and baseline groups are collections of patches that you can assign to a cluster or host in the environment. According to the business requirements, the default baselines might not be allowed until patches are tested or verified on development or pre-production hosts. Baselines can be confirmed so that the tested patches are applied to hosts and only updated when appropriate.

Table 5. Baseline and Baseline Group Details

Baseline or Baseline Group Feature

Description

Baselines

Types

Four types of baselines exist:

  • Dynamic baselines - Change as items are added to the repository.

  • Fixed baselines - Remain the same.

  • Extension baselines - Contain additional software modules for ESXi hosts for VMware software or third-party software, such as device drivers.

  • System-managed baselines - Automatically generated according to your vSphere inventory. A system-managed baseline is available in your environment for a vSAN patch, upgrade, or extension. You cannot add system-managed baselines to a baseline group, or to attach or detach them.

Default Baselines

vSphere Update Manager contains the following default baselines. Each of these baselines is configured for dynamic selection of new items.

  • Critical host patches - Upgrades hosts with a collection of critical patches that are high priority as defined by VMware.

  • Non-critical host patches - Upgrades hosts with patches that are not classified as critical.

  • VMware Tools Upgrade to Match Host - Upgrades the VMware Tools version to match the host version.

  • VM Hardware Upgrade to Match Host - Upgrades the VMware Tools version to match the host version.

  • VA Upgrade to Latest - Upgrades a virtual appliance to the latest version available.

Baseline groups

Definition

A baseline group consists of a set of non-conflicting baselines. You use baseline groups to scan and remediate objects against multiple baselines at the same time. Use baseline groups to construct an orchestrated upgrade that contains a combination of an upgrade baseline, patch baseline, or extension baselines

Types

You can create two types of baseline groups according to the object type:

  • Baseline groups for ESXi hosts

  • Baseline groups for virtual machines

ESXi Image Configuration

You can store full images that you can use to upgrade ESXi hosts. These images cannot be automatically downloaded by vSphere Update Manager from the VMware patch repositories. You must obtain the image files from the VMware Web site or a vendor-specific source. The image can then be upload to vSphere Update Manager.

There are two ways in which you can add packages to an ESXi image:

Using Image Builder

If you use Image Builder, add the NSX software packages, such as esx-vdpi, esx-vsip and esx-vxlan, to the ESXi upgrade image. You can then upload this slipstreamed ESXi image to vSphere Update Manager so that you can use the hosts being upgraded in a software-defined networking setup. Such an image can be used for both upgrades and future fresh ESXi installations.

Using Baseline Group

If you use a baseline group, you can add additional patches and extensions, such as the NSX software packagesesx-vdpi, esx-vsip and esx-vxlan, to an upgrade baseline containing the ESXi image. In this way, vSphere Update Manager can orchestrate the upgrade while ensuring the patches and extensions are non-conflicting. Performed the following steps:

  1. Download the NSX software packages bundle from the NSX Manager.

  2. Include the NSX software packages, such as esx-vdpi, esx-vsip and esx-vxlan, in an extension baseline.

  3. Combine the extension baseline with the ESXi upgrade baseline in a baseline group so that you can use the hosts being upgraded in a software-defined networking setup.

vSphere Update Manager Logical Design Decisions

This design applies the following decisions on the logical design of vSphere Update Manager and update policy:

Table 6. vSphere Update Manager Logical Design Decisions

Design ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-VUM-006

Use the default patch repositories by VMware.

Simplifies the configuration because you do not configure additional sources.

None.

CSDDC-OPS-VUM-007

Set the VM power state to Do Not Power Off.

Ensures highest uptime of management components and compute workload virtual machines.

You must manually intervene if the migration fails.

CSDDC-OPS-VUM-008

Enable parallel remediation of hosts assuming that enough resources are available to update multiple hosts at the same time.

Provides fast remediation of host patches.

More resources unavailable at the same time during remediation.

CSDDC-OPS-VUM-009

Enable migration of powered-off virtual machines and templates.

Ensures that templates stored on all management hosts are accessible.

Increases the amount of time to start remediation for templates to be migrated.

CSDDC-OPS-VUM-010

Use the default critical and non-critical patch baselines for the consolidated cluster.

Simplifies the configuration because you can use the default baselines without customization.

All patches are added to the baselines as soon as they are released.

CSDDC-OPS-VUM-011

Use the default schedule of a once-per-day check and patch download.

Simplifies the configuration because you can use the default schedule without customization

None.

CSDDC-OPS-VUM-012

Remediate hosts, virtual machines, and virtual appliances once a month or per business guidelines.

Aligns the remediation schedule with the business policies.

None.

CSDDC-OPS-VUM-013

Use a baseline group to add NSX for vSphere software packages to the ESXi upgrade image.

  • Supports parallel remediation of ESXi hosts by ensuring that the ESXi hosts are ready for software-defined networking immediately after the upgrade.

  • Prevents from additional NSX remediation.

NSX for vSphere updates require periodic updates to Group Baseline.

CSDDC-OPS-VUM-014

Configure an HTTP Web server on each UMDS service that the connected vSphere Update Manager servers must use to download the patches from.

Enables the automatic download of patches on vSphere Update Manager from UMDS. The alternative is to copy media from one place to another manually.

You must be familiar with a third-party Web service such as Nginx or Apache.

CSDDC-OPS-VUM-015

Configure vSphere Update Manager integration with vSAN.

Enables the integration of vSphere Update Manager with the vSAN Hardware Compatibility List (HCL) for additional precision and optimization when patching ESXi hosts within a specific vSphere release that manage a vSAN datastore.

  • You cannot perform upgrades between major revisions, for example, from ESXi 6.0 to ESXi 6.5, because of the NSX integration. You must maintain a custom baseline group when performing a major upgrade.

  • To access the available binaries, you must have an active account on myvmware.com.